Find Firewall & CDN used a website during Pentest with VXSCAN

Information gathering phase shows how an pentester should prepare for his next phases. Because in this phase pentester have to collect information about their target as much possible. Their are many automation tools which are used in gathering information. Today we will show an python script used in gathering information. Vxscan is an extensive scanning tool used for detecting sensitive files, WAF/CDN identification, port scanning, fingerprint,/ service OS identification, weak passwords.

Vxscan also tries to find WAF (Web Application Firewall) & CDN (Content Delivery Network). WAF which blocks, filter and monitor the malicious http traffic WAF covers common attacks on web application like cross site scripting. CDN shows the web content to user based on geographical location. When user visits webpage from their computer. CDN shows content based on their network. Vxscan has pre-defined list of WAF & CDN, where vxscan tries to find WAF and CDN of the target website.

  • For testing we will use Kali Linux 2018.4 amd64. Before going further make python3 is installed in kali Linux. For that type sudo apt-get update && sudo apt-get install python3
  • Then type git clone https://github.com/al0ne/Vxscan.git
  • Type cd Vxscan && ls
  • Some pre-requisites which are required for installation of the Vxscan For installing such requirements :-
  • Type sudo apt-get install python-requests tqdm, pyfiglet, fake-useragent, beautifulsoup4, geoip2, tldextract, python-nmap, lxml, pymongo, virustotal_python
  • If some dependencies shows not found in Kali Linux repository. For that type python -m pip install <dependencies>
  • After installing all the dependencies type wget https://geolite.maxmind.com/download/geoip/database/GeoLite2-City.tar.gz
  • If the above link shows error. You can download required file manually. and replace the GeoLite2-City.mmdb from /home/iicybersecurity/Downloads/Vxscan/db
  • After replacing type pip3 install -r requirements.txt
  • Then type python3 Vxscan.py -h
  • For testing we will use DVWA (Damm Vulnerable Webapplication Tesitng) & https://testphp.vulnweb.com
  • Type python3 Vxscan.py -u testphp.vulnweb.com
root@kali:/home/iicybersecurity/Downloads/Vxscan# python3 Vxscan.py -u https://testphp.vulnweb.com
__     __
\ \   / /_  _____  ___ __ _ _ __
 \ \ / /\ \/ / __|/ __/ _` | '_ \
  \ V /  >  <\__ \ (_| (_| | | | |
   \_/  /_/\_\___/\___\__,_|_| |_|


----------------------------------------------------------------------------------------------------
Host: testphp.vulnweb.com
----------------------------------------------------------------------------------------------------
GeoIP:
 [+] Address: 德国
 [+] Ipaddr: 176.28.50.165
 Webinfo:
 [+] Title: Home of Acunetix Art
 [+] Fingerprint: ['DreamWeaver', 'PHP', 'php', 'Nginx']
 [+] Server: nginx/1.4.1
 [+] WAF: NoWAF
 VT PDNS:
 [+] None
 Reverse IP Domain Check:
 [+] 176.28.50.165
 [+] rs202995.rs.hosteurope.de
 [+] testhtml5.vulnweb.com
 [+] testphp.ingensec.ch
 [+] testphp.ingensec.com
 [+] testphp.ingensec.fr
 [+] testphp.vulnweb.com
 [+] vulnweb.com
 [+] www.vulnweb.com
 PortScan:
 [+] Portspoof:0
 Vuln:
 [+] MySQL SQLi:https://testphp.vulnweb.com/artists.php?artist=2
 [+] MySQL SQLi:https://testphp.vulnweb.com/listproducts.php?cat=1
 [+] MySQL SQLi:https://testphp.vulnweb.com/search.php?test=query
 OS:
 [+] None
 running 31.986 seconds...
  • Above output shows the basic info about the target website. Vxscan has found the IP address of the target website which can be used to verify that what series of IP address is assigned to target.
  • Then it shown basic fingerprint of website. In which it shows backend language (PHP) on which target has written the code of website. Then it shows the dreamweaver which shows that Website front-end has build using Adobe Dreamweaver. Adobe Dreamweaver is an popular software from Adobe which helps to create HTML pages quickly. As Dreamweaver gives an feature for drag & drop
  • Vxscan has also find the server (nginix 1.4.1) on which target website
  • Vxscan has done reverse IP domain check. Where it shows other webpages of target website. Attacker can use such names to create crunch of the target website and can use it in dictionary attacks.
  • Vxscan also shows the vulnerable links of the vulnweb.com, where you can use SQL Injection methods or another scanning tools for further hacking activities.
  • For further testing we will scan DVWA (Damm Vulnerable Webapp Testing).
root@kali:/home/iicybersecurity/Downloads/Vxscan# python3 Vxscan.py -u https://192.168.1.105
__     __
\ \   / /_  _____  ___ __ _ _ __
 \ \ / /\ \/ / __|/ __/ _` | '_ \
  \ V /  >  <\__ \ (_| (_| | | | |
   \_/  /_/\_\___/\___\__,_|_| |_|


----------------------------------------------------------------------------------------------------
Host: testphp.vulnweb.com
----------------------------------------------------------------------------------------------------
GeoIP:
 [+] Address: None
 [+] Ipaddr: 192.168.1.105
 Webinfo:
 [+] Title: Damn Vulnerable Web App (DVWA) - Login
 [+] Fingerprint: ['UNIX', 'mod_dav', 'mod_ssl', 'Apache', 'mod_perl', 'Perl', 'PHP', 'OpenSSL']
 [+] Server: Apache/2.2.14 (Unix) DAV/2 mod_ssl/2.2.14 OpenSSL/0.9.8l PHP/5.3.1 mod_apreq2-20090110/2.7.1 mod_perl/2.0.4 Perl/v5.10.1
 [+] WAF: NoWAF
 VT PDNS:
 [+] None
 Reverse IP Domain Check:
 [+] error check your search parameter
 PortScan:
 [+] ftp:21
 [+] HTTPS:443
 [+] https:80
 [+] mysql:3306
 [+] ssh:22
 Vuln:
 [+] https://192.168.1.105 | Damn Vulnerable Web App (DVWA) - Login
 [+] https://192.168.1.105 | Damn Vulnerable Web App (DVWA) - Login
 OS:
 [+] Linux 2.6.17 - 2.6.36
 running 7.737 seconds…
  • Above output shows target IP address, webinfo. It also shows reverse IP domain check & vulnerability in two webpages.
  • Now we will scan another website. Now we will scan hack.me
root@kali:/home/iicybersecurity/Downloads/Vxscan# python3 Vxscan.py -u hack.me
__     __
\ \   / /_  _____  ___ __ _ _ __
 \ \ / /\ \/ / __|/ __/ _` | '_ \
  \ V /  >  <\__ \ (_| (_| | | | |
   \_/  /_/\_\___/\___\__,_|_| |_|

----------------------------------------------------------------------------------------------------
Host: hack.me
----------------------------------------------------------------------------------------------------
GeoIP:
 [+] Address: 美国 佛罗里达州 坦帕
 [+] Ipaddr: 74.50.111.244
 Webinfo:
 [+] Title: Hack.me · The house of rising sandbox
 [+] Fingerprint: ['animate.css', 'Bootstrap', 'IIS', 'Font Awesome', 'Windows Server', 'jQuery', 'jQuery Migrate']
 [+] Server: Microsoft-IIS/7.5
 [+] WAF: NoWAF
 VT PDNS:
 [+] None
 Reverse IP Domain Check:
 [+] API count exceeded - Increase Quota with Membership
 PortScan:
 [+] Portspoof:0
 Vuln:
 [+] Leaks: username = username
 [+] Leaks: token = document
 [+] Leaks: username = document
 [+] Leaks: password = password
 [+] Leaks: password = document
 [+] Leaks: token = security
 OS:
 [+] None
 running 90.759 seconds…
  • Above output shows IP address, location and server of the target website. Vxscan also shows the leaks in login page.